Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

tal197 writes "Zero Install, the decentralized cross-platform software installation system, announced 0install 2.0 today after 2 years in development. 0install allows authors to publish directly from their own web-sites, while supporting familiar features such as shared libraries, automatic updates, dependency handling and digital signatures. With more than one thousand packages now available, is this finally a viable platform?"

i think the parent was pointing out that apple is never going to allow a 3rd party package manager on ios. because of their success, it looks like the other players (ms, google, etc) are trying to get a similar ecosystem. So, while the project seems like a good idea, the bleak future may be devoid of platforms where such a project could be installed anyway.

It's similar in concept to a decentralized app store or repository. It sounds like a great idea. It sounds like it free your system from the "clutches" of your distro's repository.

But, like many other great ideas, it fails in the cold daylight of reality.

In order for it to work, the software developer has to not only publish their software on the Zero Install system, they have to publish their software for ALL the distros on it. But, we all know well that most software developers regard this as far too cumb

In order for it to work, the software developer has to not only publish their software on the Zero Install system, they have to publish their software for ALL the distros on it. But, we all know well that most software developers regard this as far too cumbersome an undertaking and will instead publish only a single or couple of binaries.

Of course, that's not an issue for programs written in Python, Ruby, Java, etc.

For C, you can also publish a source version and let the users compile (with 0install handling the build dependencies). Also, if someone wants to set up a build farm for a particular platform, they can use these source packages to create binaries automatically (e.g. for PPC binaries).

Producing separate binaries for different distributions (e.g. Ubuntu and Fedora) isn't necessary; one binary should work everywhere. The exception w

You're confused and don't understand what Zero Install is. Maybe the feature list needs to be worded better, but it is infinitely better than "an RPM alternative" because it can run ALONG SIDE an existing package manager. Zero Install can be used on ANY DISTRO and can ADD TO that distro, so it will expand the number of packages that are accessible to users. If I release my software for Zero Install it means any user will be able to install it easily, get automatic updates, uninstall it easily, potentiall

Seems to help programmers a lot. They can publish on their own site a single set of files and specifications for all platforms to manage installation and package creation. Packaging teams can use it to make their life easier.

The cross platform part is more a benefit for publishers. So if you're publishing a cross platform application, you can use this system to streamline the distribution process. Not a terrible idea though the majority of applications are not cross platform in the first place, so it's hard to see this system being used.

French words need to be used because english is an imprecise language designed for the lowest common denominator.

Sheesh. English is just as precise if you use it correctly. In some particular cases you may need to use a few more words. Words are free; don't be afraid. Anyway, if you want to be absolutely anal about precision, you want German, not French.

Though the summary mentions something I've been thinking a lot about lately, and that's shared libraries. 99.5% of the time when I have trouble getting something to work in linux it comes down to a nasty spaghetti-like mess of libraries and their recursive dependencies. Sometimes some pieces of software have difficulty coexisting because they depend on different versions of supporting libraries.

I understand the benefits of shared libraries, but storage space is dirt-cheap today and I think a lot of problems might be solved simply by letting lots of pieces of software bundle their favorite versions of dependent libraries.

Or, how about this: Instead of linking to shared libraries by their filenames, applications specify the shared libraries they'd like to link to via md5 hashes of the libraries' contents. The linker checks its shared-library database-index (which could just be a directory whose directory-entries are md5 hash codes) to see if it has a shared library with that md5 hash installed; if yes, it links the application process to it; if no, it auto-downloads the shared library with that hash from the web repository, installs it, and then links the application process to it.

The advantages would be:

No library collisions, ever (well, to the extent that md5 hashes are unique, anyway).No version mismatches, ever (each app will always run using the libraries it was built against, and no others).No mucking about with LD_LIBRARY_PATH (as all shared libraries are auto-stored for youNo manually installed missing libraries (they will instead be installed as necesary, on demand)No space wasted by multiple copies of the same library present on your disk at once

Some possible disadvantages:

No way to "patch" behavior of multiple applications by upgrading only a shared library they link to (you'd have to upgrade each of the applications instead, so that they reference the new library version's md5 hash)

Possible security issues from auto-installing shared libraries with malicious code (although arguably you either trust a developer enough to install his program, or you don't; the mechanics of how different parts of the program are installed aren't necessarily relevant)

To get the hashes of the latest compatible versions, you could use 0install. e.g. to find the hashes for the dependencies of the SAM program:$ 0install select http://www.serscis.eu/0install/serscis-access-modeller- URI: http://www.serscis.eu/0install/serscis-access-modeller Version: 0.16-post Path:/home/tal/work/serscis-access-modeller/serscis-access-modeller-any-any

This defeats one of the "selling points" of using a dll. When functionality improves, the library is updated and all consumers of that library benefit from it. Locking in a specific version via hash would be functionally no different than just statically compiling the library into the binary. Then what is the point at all?

This defeats one of the "selling points" of using a dll. When functionality improves, the library is updated and all consumers of that library benefit from it.

Yes, you're quite right, but that's a tradeoff that might be worth making. Upgrading a shared library that an application already is using is a risk, since after the upgrade you are running an application in a configuration that its developer never tested against. Better perhaps to have the developer upgrade his application to the new version of the shared library, let him test it thoroughly, and then when he has released his new app version, download it (at which point it would auto-download the new shar

With Zero Install the packager can make the dependencies be whatever they want includiong the version numbers. If they didn't trust a library to not break things, they could even set the version == (require only that version and no other) if they wanted. The user can also force different versions to be used than the recommended one in case they ever disagreed with the packager.

Just read the recent discussion about including golang in Debian. Pretty much just its promoter considered introducing a compiler with no support for proper dynamic libraries to be acceptable, and dynamic libraries accessed via hash are effectively static for all purposes other than disk/memory usage.

If there's a bug in libpng, what do you do? It has thousands of reverse dependencies, many directly and yet more transitively. A good deal of bugs there can be exploi

I very much agree with this. The programs (which weren't included with the distro) that I've had the least problems installing on Linux were the ones that thrown in everything in the installer and use all their own libraries. Anything else just leads to dependancy hell. Once, I was trying to install a new version of MySQL server, and couldn't install it because it wanted a newer version of the MySQL client library than what KDE was using. To remove the existing MySQL client library in order to upgrade, I w

It's still an advert, this time saying "Please download my project" rather than "Please buy my product". The payoff is the validation from his users that his efforts were actually worth something, rather than cold hard cash.

The best kind of ad, in my opinion. One of the reasons I follow slashdot is to learn about new developments in IT.

A succesful project needs to attract enough developers to keep it going, and that means promotion of one kind or another. The commercial world can buy advertising. Slashdot is providing a valuable service by helping non-profit projects reach out to potential contributors and consumers.

This project is interesting to me because it tackles a problem I'd been considering recently. I use Can

Which have to perfectly align with the original ones and can totally mess everything up if you're not careful, a fact I had direct experience with when the xorg-edgers repo completely effed up my installation and even after backing things out I ended up having to reinstall.

Meanwhile, Zero Install keeps each app separated and sandboxed and you could argue that it is better than adding a repo.

Right, but Ubuntu and others will never package Zero Install by default unless it started getting wider adoption because of two factors:

1. More apps need to start using it so it gets in higher demand.
2. Ubuntu and others benefit from market fragmentation. By having all the software in their repos which aren't compatible with other distros, that pulls users to their platform just for software access. This is of course contrary to what the free software and ubuntu philosophies are all about.

I have an idea the.deb package recommends "packagekit". If that conflicts with "python3-aptdaemon.pkcompat", I guess your package manager might offer to remove it. You could try using --no-install-recommends.

If you try to install a program that needs a library that is only available through your distribution, then 0install will offer to install it using PackageKit, if PackageKit is available.